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DETECTING COMPROMISED BALLOTS 
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TECHNICAL FIELD 

[0002] The present invention is directed to the fields of election automation and 

cryptographic techniques therefor. 

BACKGROUND 

[0003] The problems of inaccuracy and inefficiency have long attended conventional, 

manually-conducted elections. While it has been widely suggested that computers could be 
used to make elections more accurate and efficient, computers bring with them their own 
pitfalls. Since electronic data is so easily altered, many electronic voting systems are prone 
to several types of failures that are far less likely to occur with conventional voting systems. 

[0004] One class of such failures relates to the uncertain integrity of the voter's computer, 

or other computing device. In today's networked computing environment, it is extremely 
difficult to keep any machine safe from malicious software. Such software is often able to 
remain hidden on a computer for long periods of time before actually performing a 
malicious action. In the meantime, it may replicate itself to other computers on the 
network, or computers that have some minimal interaction with the network. It may even 
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be transferred to computers that are not networked by way of permanent media carried by 
users. 

[0005] In the context of electronic secret ballot elections, this kind of malicious software is 

especially dangerous, since even when its malicious action is triggered, it may go 
undetected, and hence left to disrupt more elections in the future. Controlled logic and 
accuracy tests ("L&A tests") monitor the processing of test ballots to determine whether a 
voting system is operating properly, and may be used in an attempt to detect malicious 
software present in a voter's computer. L&A tests are extremely difficult to conduct 
effectively, however, since it is possible that the malicious software may be able to 
differentiate between "real" and "test" ballots, and leave all "test" ballots unaffected. Since 
the requirement for ballot secrecy makes it impossible to inspect "real" ballots for 
compromise, even exhaustive L&A testing may prove futile. The problem of combating this 
threat is known as the "Client Trust Problem." 

[0006] Most existing methods for solving the Client Trust Problem have focused on 

methods to secure the voting platform, and thus provide certainty that the voter's computer 
is "clean," or "uninfected." Unfortunately, the expertise and ongoing diligent labor that is 
required to achieve an acceptable level of such certainty typically forces electronic voting 
systems into the controlled environment of the poll site, where the client computer systems 
can be maintained and monitored by computer and network experts. These poll site systems 
can still offer some advantages by way of ease of configuration, ease of use, efficiency of 
tabulation, and cost. However, this approach fails to deliver on the great potential for 
distributed communication that has been exploited in the world of e-commerce. 

[0007] Accordingly, a solution to the Client Trust Problem that does not require the voting 

platform to be secured against malicious software, which enables practically any computer 
system anywhere to be used as the voting platform, would have significant utility. 

BRIEF DESCRIPTION OF DRAWINGS 

[0008] Figure 1 is a high-level block diagram showing a typical environment in which the 

facility operates. 



[32462-8006US03/SL020490.01 9] 



-2- 



2/20/02 



I ' ' 



[0009] Figure 2 is a block diagram showing some of the components typically incorporated 

in at least some of the computer systems and other devices on which the facility executes. 

[0010] Figure 3 is a flow diagram showing steps typically performed by the facility in order 

to detect a compromised ballot. 

DETAILED DESCRIPTION 

[0011] A software facility for detecting ballots compromised by malicious programs ("the 

facility") is provided. The approach employed by the facility typically makes no attempt to 
eliminate, or prevent the existence of malicious software on the voting computer. Instead, 
it offers a cryptographically secure method for the voter to verify the contents of the voter's 
ballot as it is received at the vote collection center, without revealing information about the 
contents (ballot choices) to the collection center itself. That is, the vote collection center 
can confirm to the voter exactly what choices were received, without knowing what those 
choices are. Thus, the voter can detect any differences between the voter's intended 
choices, and the actual choices received at the vote collection center (as represented in the 
transmitted voted ballot digital data). Further, each election can choose from a flexible set 
of policy decisions allowing a voter to re-cast the voter's ballot in the case that the received 
choices differ from the intended choices. 

[0012] The facility is described in the context of a fairly standard election setting. For ease 

of presentation, initial discussion of the facility assumes that there is only one question on 
the ballot, and that there are a set of K allowable answers, a h ...,a K (one of which may be 
"abstain"). It will be appreciated by those of ordinary skill in the art that it is a 
straightforward matter to generalize the solution given in this situation to handle the vast 
majority of real world ballot configurations. 

[0013] Several typical cryptographic features of the election setting are: 

1 . Ballot Construction: A set of cryptographic election parameters are agreed 
upon by election officials in advance, and made publicly known by wide 
publication or other such means. Significant parameters are the encryption 



[32462-8006US03/SL020490.01 9] 



-3- 



2/20/02 



m 



00; 



groz/p, generator, election public key and decision encoding scheme. More 
specifically, these are: 

(a) The encryption group, G may be Z p with /? a large prime, or an elliptic 
curve group. 

(b) The generator, g^G. In the case G=Z p g should generate a (multiplicative) 
subgroup, (g), of G* which has large prime order q. In the elliptic curve 
case we assume <g)=G and #=p. 

(c) The election public key, he(g). 

(d) The decision encoding scheme: A partition of (g) into "answer 
representatives." That is, (g^QuS^S^ where the S k are pair wise 
disjoint subsets of <g). For each 1<£<£; any message meS^ represents a 
vote for a A . The remaining messages, /wg5 0 are considered invalid. 
Typically, each S h \<k<K, consists of a single element, ju h though this is 
not, fundamentally, a requirement. For the security of the scheme, however, 
it is generally required that the ju k are generated independently at random 
either using some public random source, or by an acceptable sharing scheme. 

[0014] While the following discussion uses multiplicative group notation for the sake of 

consistency, it should be clear that all constructions can be implemented equally well using 
elliptic curves. 

2. Vote Submission: Each voter, v., encrypts her vote, or decision, as an 

ElGamal pair, (X t , Y t ) = (g* 1 , h a > , m l ) , where a^Z q is chosen randomly by 

the voter, and m i sS k if v t wishes to choose answer a k . This encrypted value 
is what is transmitted to the vote collection center (cast), usually with an 
attached digital signature created by v f . 
[0015] If the voter, v /? were computing these values herself - say with pencil and paper - 

this protocol would essentially suffice to implement a secret ballot, universally verifiable 
election system. (Depending on the tabulation method to be used, some additional 
information, such as a voter proof of validity would be necessary.) However, since in 
practice, v- only makes choices through some user interface, it is not realistic to expect her 
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to observe the actual value of the bits sent and check them for consistency with her intended 
choice. In short, the vote client can ignore voter intent and submit a "//, vote" when the 
voter actually wished to submit a "ju k vote." 
[0016] The voter typically needs some way to verify that the encrypted vote which was 

received at the vote collection center is consistent with her choice. Simply making the 
ballot box data public does not a reasonable solution, since the vote client, not the voter, 
chooses a t . For reasons of vote secrecy, and coercion, this value should be "lost." So v/s 
encrypted vote is as opaque to her as it is to anyone else. A generic confirmation from the 
vote collection center is obviously not sufficient either. The general properties of what is 
needed are properties: 

1 . The confirmation string, C, returned by the vote collection center, needs to 
be a function of the data (encrypted vote) received. 

2. The voter and vote client should be able to execute a specific set of steps 
that allow the voter to tie C exclusively to the choice (or vote), ju h that was 
received. 

3 . It should be impossible for the vote client to behave in such a way that the 
voter "is fooled. " That is, the client can not convince the voter that ju k was 
received, when actually, ju^ju k was received. 

[0017] In this section, we present such a scheme, which we shall refer to as SVC, in its basic 

form. In following sections, we offer some improvements and enhancements. 
[001 8] The following steps are typically performed as part of the voting process. 

CC-1. The vote client, M f , "operated by" v J3 creates an encrypted ballot on behalf of v { as 
before. Let us denote this by (X„Y,) = {g a, X'm) , for some value m,e<g) and 

CC-2. M i is also required to construct a validity proof, P { , which is a zeroknowledge proof 
that wjj-s {//!,...,//£-}. (Such a proof is easily constructed from the basic Chaum- 
Pederson proof for equality of discrete logarithms using the techniques of [CDS94]. 
See [CGS97] for a specific example.) 

CC-3. M { then submits both P t and the (signed) encrypted vote, (X^) to the vote 
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collection center. 

CC-4. Before accepting the encrypted ballot, the vote collection center first checks the 
proof, P v If verification of P t fails, corruption has already been detected, and the vote 
collection center can either issue no confirmation string, or some default random one. 

CC-5. Assuming then that verification of P f succeeds, the vote collection center computes 
the values, W i and U { as, 



W t = K t Y* = K t h^'m 1 f> ' 



(1) 



U. = (2) 
where K ; eG and P,eZ„ are generated randomly and independently (on a voter-by- 
voter basis). 

CC-6. The vote collection center then returns (U i9 W t ) to M v 
CC-7. The client, M i9 computes 

C t = VJU* 1 = K t m?> (3) 

and display this string (or, more likely, a hash of it, H(C t )) to the voter, v v 
[0019] The voter needs to know which confirmation string to look for. This can be 

accomplished in two different ways. The most straightforward is to have the voter, v /? 
obtain K ( and from the vote collection center. This is workable, requires very little data 
to be transferred, and may be well suited to some implementations. However, in other 
situations, it may be an unattractive approach because Q (or #(Q) must then be 
computed. Since asking M i to perform this computation would destroy the security of the 
scheme, v t must have access to an additional computing device, as well as access to the 
independent communication channel. 
[0020] An alternative is to have the vote collection center compute all possible confirmation 

strings for v /5 and send what amounts to a confirmation dictionary to v i via the independent 
channel In general, the confirmation dictionary for voter v f would consist of the following 
table laid out in any reasonable format: 
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Answer 


Confirmation String 


i 


H(C n ) 




H(C i2 ) 




* 


a K 


H{C iK ) 



n i 



where # is the election's public (published) hash function (possibly the identity function), 
and C if =K iM f, 

[0021] Of course care must be used in engineering the independent channel to be sure that 

it really is independent. Ideally, it should be inaccessible to devices connected to the voting 
network. Solutions are available, however. Since the K f and can be generated in 
advance of the election, even slow methods of delivery, such as surface mail, can be 
employed to transmit the dictionary. 

[0022] In order to more completely describe the facility, an example illustrating the 

operation of some of its embodiments is described. The following is a detailed example of a 
Secret Value Confirmation exchange. 

[0023] In order to maximize the clarity of the example, several of the basic parameters used 

- for example, the number of questions on the ballot, and the size of the cryptographic 
parameters - are much smaller than those that would be typically used in practice. Also, 
while aspects of the example exchange are discussed below in a particular order, those 
skilled in the art will recognize that they may be performed in a variety of other orders. 

[0024] Some electronic election protocols include additional features, such as: 

• voter and authority certificate (public key) information for 
authentication and audit 

• ballot page style parameters 



• data encoding standards 
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• tabulation protocol and parameters 

[0025] As these features are independent of the Secret Value Confirmation implementation, 

a detailed description of them is not included in this example. 

[0026] This example assumes an election protocol that encodes voter responses (answers) 

as a single ElGamal pair. However, from the description found here, it is a trivial matter to 
also construct a Secret Value Confirmation exchange for other election protocols using 
ElGamal encryption for the voted ballot. For example, some embodiments of the facility 
incorporate the homomorphic election protocol described in U.S. Patent Application No. 
09/535,927. In that protocol, a voter response is represented by multiple ElGamal pairs. 
The confirmation dictionary used in this example is easily modified to either display a 
concatenation of the respective confirmation strings, or to display a hash of the sequence of 
them. 

[0027] The jurisdiction must first agree on the election initialization data. This at least 

includes: the basic cryptographic numerical parameters, a ballot (i.e., a set of questions and 
allowable answers, etc.) and a decision encoding scheme. (It may also include additional 
data relevant to the particular election protocol being used.) 

Cryptographic Parameters 



Group Arithmetic: Integer multiplicative modular arithmetic 
Prime Modulus: p = 41 
Subgroup Modulus: q-23 
Generator: g = 2 

Public Key: h = g s where s is secret. For the sake of this example, 
let us say that h = g u = 7 . 



Ballot 



• One Question 
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Question 1 Text: Which colors should we make our flag? (Select at 
most 1.) 

Number of answers/choices: 4 

* Answer 1 Text: Blue 

* Answer 2 Text: Green 

* Answer 3 Text: Red 

* Answer 4 Text: I abstain 

Decision Encoding Scheme 



Choice 


Response Value 


Blue 


9(M) 


Green 


21(a) 


Red 


36(a) 


I abstain 


17 U) 



At some point, before issuing a confirmation and before distributing the voter 
confirmation dictionaries, the ballot collection center (or agency) generates random, 
independent J3 t and K t for each voter, V t . If the confirmation dictionary is to be sent after 

vote reception, these parameters can be generated, on a voter by voter basis, immediately 
after each voted ballot is accepted. Alternatively, they can be generated in advance of the 
election. In this example, the ballot collection agency has access to these parameters both 
immediately after accepting the voted ballot, and immediately before sending the respective 
voter's confirmation dictionary. 

Sometime during the official polling time, each voter, V, obtains and authenticates 
the election initialization data described above. It can be obtained by submitting a "ballot 
request" to some ballot server. Alternatively, the jurisdiction may have some convenient 



[32462-8006US03/SL020490.01 9] 



2/20/02 



means to "publish" the election initialization data - that is, make it conveniently available to 
all voters. 

[0030] From the election initialization data, V is able to determine that the expected 

response is the standard encoding of a particular sequence of two distinct data elements. 
These are (in their precise order): 

Choice Encryption 

[0031] A pair of integers (X, Y) with 0 < X, Y < 47 indicating (in encrypted form) the 

voter's choice, or answer. For the answer to be valid, it must be of the form, 
(X, Y) = (l\ T/d) , where 0 < a < 23 and ju e {% 21, 36, 17} . 

Proof of Validity 

A proof of validity showing that (X, 7) is of the form described in the choice 

encryption step above. (In this example, we shall see that this proof consists of 15 modular 
integers arranged in specific sequence.) 

For the sake of this example, let us assume that V wishes to cast a vote for 
"Green." 

1. V generates aeZ 23 randomly. In this example, a = 5. Since the 
encoding of "Green" is 21, V 's choice encryption is computed as 

(X, Y) = (2\ T x 2l) = (32, 24) (4) 

This pair is what should be sent to the vote collection center. The potential 
threat is that V 5 s computer may try to alter these values. 
[0034] Voter V (or more precisely, V's computer) must prove that one of the following 

conditions hold 

1 . (X, Y) = (2\ T x 9) i.e. choice (vote cast) is "Blue" 

2. (X 9 Y) = {l\ T x 21) i.e. choice (vote cast) is "Green" 



[0032] 




[0033] 
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3 . (X, Y) = (l a , T x 36) i.e. choice (vote cast) is "Red" 

4. (X, Y) = (l a , V x 17) i.e. choice (vote cast) is "I abstain" 

for some unspecified value of a without revealing which of them actually does hold. 
[0035] There are a variety of standard methods that can be used to accomplish this. See, 

for example, R. Cramer, I. Damgard, B. Schoenmakers, Proofs of partial knowledge and 
simplified design of witness hiding protocols, Advances in Cryptology - CRYPTO '94, 
Lecture Notes in Computer Science, pp. 174-187, Springer- Verlag, Berlin, 1994. The 
Secret Value Confirmation technique used by the facility works equally well with any 
method that satisfies the abstract criteria of the previous paragraph. While details of one 
such validity proof method are provided below, embodiments of the facility may use validity 
proofs of types other than this one. 

Validity Proof Construction: 

[0036] (In what follows, each action or computation which V is required to perform is 

actually carried out by V's computer.) 

1. V sets a 2 - a = 5. 

2. V generates 0) 2 e R Z 23 , r„ r 3> r 4 e R Z 23 , s lt s 3 , s 4 e R Z 23 all randomly and 
independently. For this example we take 

a) 2 =A (5) 

/;=16, 7-3=17, r 4 =21 
s l = 12, s 3 =4, .v 4 = 15 

3. V computes corresponding values 

a,=g ri X- Sl = 2 ,6 x32 n =4 (6) 

a 2 =g»> = 2 4 =16 
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a 3 =g r >X~ s > = 2 ,7 x32 19 =6 

a A = g u X-< = 2 2, x32 8 =9 

bi=h ^Y/9y Sl = 7 16 x(24/9) n =18 

b 2 =h^ = 7 4 =4 

b 3 = W (7/36)" 13 = 7 17 x(24/36) ,9 =l 

b 4 =K>(7/n)~* = 7 21 x(24/17) 8 =7 



(7) 



4. F uses a publicly specified hash function H to compute c e Z 23 as 

c = #({X,r,a>,}) l</<4 (8) 

Since many choices of the hash function are possible, for this example we can just 
pick a random value, say 

c = 19. (9) 

(In practice, SHA1, or MD5, or other such standard secure hash function may be 
used to compute H .) 

5. V computes the interpolating polynomial P(x) of degree 4-1 = 3. The 
defining properties of P are 

P(0) = c = 19 (10) 
P(\) = s x =\2 
P(3) = s 3 =4 
P(4) = 5 4 =15 
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P(x) = Y%o z j xl is computed using standard polynomial interpolation 
theory, to yield: 

P(x) = x 3 +20x 2 +l*x + 19 (11) 



or 



z 0 =19 z, =18 
z 2 =20 z,=l 



(12) 



6. V computes the values 



, 2 =P(2) = 5 (13) 



r 2 =co 2 + a 2 s 2 =4+5x5 = 6 



7 . V 's validity proof consists of the 1 2 numbers 
and the three numbers 

ML < ,5 > 

in precise sequence. (z 0 need not be submitted since it is computable from 
the other data elements submitted using the public hash function H .) 

[0037] Having computed the required choice encryption, (X, Y), and the corresponding 

proof of validity, V encodes these elements, in sequence, as defined by the standard 
encoding format. The resulting sequences form V 's voted ballot. (In order to make the 
ballot unalterable, and indisputable, V may also digitally sign this voted ballot with his 
private signing key. The resulting combination of V 's voted ballot, and his digital signature 
(more precisely, the standard encoding of these two elements) forms his signed voted 
ballot.) Finally, each voter transmits his (optionally signed) voted ballot back to the data 
center collecting the votes. 
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f" ; 1: 



Sift* 



As described above, the voter specific random parameters for V (fl and K) are 
available at the vote collection center. In this example, these are 

£ = 18 K=31 (16) 
[0039] When the voter's (optionally signed) voted ballot is received at the vote collection 

center, the following steps are executed 

1 . The digital signature is checked to determine the authenticity of the ballot, as 
well as the eligibility of the voter. 

2. If the signature in step 1 verifies correctly, the vote collection center then 
verifies the proof of validity. For the particular type of validity proof we 
have chosen to use in this example, this consists of 

(a) The public hash function H is used to compute the value of 
P(0) = z 0 

z 0 =P(0) = H({XJ^bX =} ) = l9 07) 

(Recall that the remaining coefficients of P, z p z 2 , z 3 , are part of 
V 's (optionally signed) voted ballot submission.) 

(b) For each 1 < j < 4 both sides of the equations 

a } =g" X f }) (18) 

are evaluated. (Here, as described above, the /u ] are taken from the 
Decision Encoding Scheme.) If equality fails in any of these, 
verification fails. This ballot is not accepted, and some arbitrary 
rejection string (indication) is sent back to V . 

3. Assuming that the previous steps have passed successfully, the reply string 
(W, £/) is computed as 

[32462-8006US03/SL020490.01 9] - 1 4- 2/20/02 



W = KY P =37x24 18 =9 



(19) 



U = h? =7 18 =42 

This sequenced pair is encoded as specified by the public encoding format, 
and returned to V . 

4. V's computer calculates 

C = W/U a =9/(42f=lS (20) 

and displays this string to V . (Alternatively, the protocol may specify that a 
public hash function is computed on C and the resulting hash value 
u displayed. In this example, C itself is displayed.) If V's computer 

9 attempted to submit a choice other than "Green," the value of C computed 

O 

CO above would be different. Moreover, the correct value of C cannot be 

fg computed from an incorrect one without solving the Diffie-Hellman problem. 

p 1 (For the small values of p and q we have used here, this is possible. 

a However, for "real" cryptographic parameters, F's computer would be 

P 

m unable to do this.) Thus, if V 's computer has submitted an encrypted ballot 

% which does not correspond to V's choice, there are only two things it can 

fj do at the point it is expected to display a confirmation. It can display 

something, or it can display nothing. In the case that nothing is displayed, V 
may take this as an indication that the ballot was corrupted. In the case that 
something is displayed, what is displayed will almost certainly be wrong, and 
again, V may take this as an indication that the ballot was corrupted. 

5. V now compares the value of C displayed to the value found in V's 
confirmation dictionary corresponding to the choice, "Green" (K's intended 
choice). At this point, V may have already received his confirmation 
dictionary in advance, or may obtain a copy through any independent 
channel. An example of such a channel would be to use a fax machine. If 
the displayed value does not match the corresponding confirmation string in 

[32462-8006US03/SL020490.01 9] -15- 2/20/02 



the confirmation dictionary, corruption is detected, and the ballot can be 

"recast" in accordance with election-specific policy. 
[0040] Each voter confirmation dictionary is computed by the vote collection center, since, 

as described above, it is the entity which has knowledge of the voter specific values of a 
and K. For the case of the voter, V, we have been considering, the dictionary is 
computed as 



Choice 


Confirmation String 


"Blue" 


C X =K fif = 37x9 18 =16 


"Green" 


C 2 =Kju% = 37x21 18 =18 


"Red" 


C 3 =^// 3 /? =37x36 18 =36 


"I abstain" 


C 4 =£// 4 /? =37xl7 18 =8 



m 

•«r - 



[0041] The level of security provided by the facility when using the SVC scheme is 

described hereafter: Let A be the vote client adversary, and let e 0 be an upper bound on the 
probability that A is able to forge a validity proof for any given ju h ...,ju K . (We know that e 0 
is negligible.) 

[0042] Theorem 1 Suppose the SVC scheme is executed with H = Id Fix 1 <_k } ^k 2 < K. 
Suppose that for some e>0, A can, with probability e, submit b } = and 

display = K t Mk 2 > w ^ere the probability is taken uniformly over all combinations of 

values for ju h ...,jU K , g, h f fi t and K ( . Then A can solve a random instance of the Diffie- 
Hellman problem with probability e, and with 0(K) additional work 
[0043] Proof: Suppose A is given X,Y,Z^ R (g). A can simulate an election and SVC exchange by 
picking C ikl e(g) and /^£<g) independently at random for all fek 2 , setting h = X,tf l =7 
and fi^fifaZ. The resulting distribution on the election parameters and C lJk . is obviously 

identical to the distribution that arises from real elections. With probability e, A can display 
C lki , so can compute 



(20) 
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So logj^^log^logjIlogjZ, and C is the solution to the Diffie-Hellman problem 

instance posed by the triple (XJ 7 Z). 

[0044] Corollary 1 Suppose again that the SVC scheme is executed with H = Id Fix \>k 2 >K. 
Suppose that for some e } >0, A can, with probability e p choose k^k 2 , submit b x = 

(g^ , h^ju^ y and displays C lk% = ^//^ , ffe probability is taken uniformly over all 

combinations of values for ju l7 ...,ju K , g, h, fi i andK t . Then A can solve a random instance 
of the Diffie-Hellman problem with probability e/fX-lJ, and with 0(K) additional work 

[0045] Proof: Follow the arguments of theorem 1, but compare to the problem of finding the 

solution to at least one of K-l independent Diffie-Hellman problems. 
[0046] Corollary 2 Let e DH be an upper bound on the probability that A can solve a random 

Diffie-Hellman instance. Then, in the case that H = Id, an upper bound on the probability 

that A can submit a vote that differs from the voter's choice, and yet display the correct 
confirmation string is e 0 +(K - 1) e DH . 

[0047] If the hash function H is non-trivial, we can not hope to make comparisons to the 

computational Diffie-Hellman problem without considerable specific knowledge of the 
properties of H. Rather than consider the security of the scheme with specific choices of H, 
we assume only that H has negligible collision probability, and instead compare security 
with the Decision Diffie-Hellman Problem. The variant of this problem we consider is as 
follows. A is given a sequence of tuples, (X n ,Y n ,Z n ,C n ), where X n J n ,Z n are generated 
independently at random. With probability 1/2, C n is the solution to the Diffie-Hellman 
instance, (X n J n ,Z n \ and with probability 1-1/2=1/2, C n is generated randomly and 
independently. A is said to have an e-DDH advantage if A can, with probability 1/2+ e, 

9 

answer the question \og Xn C n = log Xn Y n log Xn Z n . 
[0048] Theorem 1, and corollaries 1 and 2 have obvious analogs in the case H *Id 

(assuming only that H has negligible collision probability). Both the statements and proofs 
are constructed with minor variation, so we only summarize with: 

Corollary 3 Let e DDH be an upper bound on A r s DDH advantage. Then, ifH is any hash 
function with negligible collision probability, an upper bound on the probability that A can 
submit a vote that differs from the voter's choice, and yet display the correct confirmation 
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string is e 0 +(K - 1) e DDH . 
[0049] SVC may not offer any protection if the adversary, A, also controls the vote 

collection center. If this were the case, A has access to K t and ft, and thus can easily 
display any valid confirmation string of its choosing. It seems unlikely that this would 
happen, since the vote collection center would be undeniably implicated in the event that 
such activity is discovered. Nevertheless, in case it is unacceptable to trust the vote 
collection center in this regard, the "confirmation responsibility" can be distributed among 
arbitrarily many authorities. 
[0050] To distribute the confirmation responsibility, each authority, A f , \<j<J, generates 

(for voter v t ) independent random K i; - and # y . The authorities can combine these by two 
general methods. 

1. Concatenation. The voter's confirmation string is computed as a 
concatenation, in pre-specified order, of the individual confirmation strings 
(computed separately as in the previous section) corresponding to each of 
3 the J authorities. In this case, confirmation is successful only if all of the 

W substrings verify correctly. 

ft 2. Trusted Server or Printer. If it is acceptable to trust a single central 

server, or printer, the multiple confirmation strings can be combined into one 
of the same size by simply computing 



yi 



W t = Y[W. (21) 
U, = flU, (22) 

This has the advantage of reducing the amount of confirmation data that must be 
transmitted to the voter, but at the cost of creating a central point of attack for the 
system. 

[0051 ] It is always desirable to reduce the size of the data that must be sent to the voter via 

the independent channel. As described in section 3, the confirmation dictionary is already 
small by the standards of modern communications technology, but it may be cost 
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advantageous if even less data can be transmitted. As mentioned above, one approach 
might be to send the secrets K { and ft directly to the voter, but this has the disadvantage of 
putting a computational burden on the voter that is too large to be executed "in the voter's 
head," or "on paper." The following variation on the SVC scheme achieves both goals - 
less data through the independent communication channel, and "mental computation" by the 
voter. It comes at a cost, namely that the probability that a client adversary may be able to 
fool the voter is increased, however, this may be quite acceptable from the overall election 
perspective. Even if the probability of the adversary going undetected is, say 1/2, in order 
for it to change a substantial fraction of votes, the probability that it will be detected by a 
statistically significant fraction of voters will be very high. As discussed in the introduction, 
remedial measures are possible. 

[0052] The idea is to deliver the entire set of confirmation strings to the voter via the 

suspect client, but in randomly permuted order. The only additional piece of information 
that the voter needs then is the permutation that was used. This isn't quite enough, in this 
scenario, since all the confirmation strings are available, the adversary can gain some 
advantage simply by process of elimination. (The case K=2 is particularly useful to 
consider.) In order to increase the security, we include with the dictionary, several random 
confirmation strings, that are also permuted. 

[0053] The steps in subsection 3.1 are executed as before. In addition, the vote collection 

sends to the client, M ( , a "randomized dictionary," £>,, This is created by the vote collection 
center, C, as follows: 

RD-1. The K (voter specific) confirmation strings 

(S^.-A) = (H(C n ),...,H(C lK )) (23) 

are computed as before. 
RD-2. Additionally, L extra strings are generated as 

(v» v«>) = (*(«*)■ -*(**)) (24) 



where the e h ... 7 e L are generated independently at random in Z q . 
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RD-3. A random permutation, o-eI r+L is generated. 

RD-4. C sets Q^S^y for \<j<K+L, and sets D t to be the sequence of strings 

[0054] If C sends some "human readable" representation of o { to v t , through an independent 

channel, v,- can now verify her vote by simply finding the confirmation string with the proper 
index. We denote this scheme by SVCO. 

[0055] With respect to the level of security of SVCO, consider the following form of the 

Difl&e-Hellman Decision Problem: A is given a sequence of tuples, (X n ,Y n ,Z n ,C n ,D n ), where 
X n J n ,Z n are generated independently at random. Let R n be generated independently at 
random, and let O n be the solution to \og Xn O=\o% Xn Y^o% x j: n . With probability 1/2, 
(C n JD n )={O w R n ), and with probability 1-1/2=1/2, (C n JD n y=(R n ,O n ). A is said to have an e- 

9 

DDHP advantage if ,4 can, with probability 1/2+ €, answer the question log x „C„ = log x „ Y n 
log Xn Z n . That is, A must answer the same question as in the original version of the 
problem, but the problem may be easier because more information is available. 
[0056] Theorem 2 Let e DDHP be an upper bound on A's DDHP advantage, and H any hash 

function with negligible collision probability. An upper bound on the probability, under 
the SVCO scheme, that A can submit a vote that differs from the voter's choice, and yet 
display the correct confirmation string is 

V L J 

[0057] Proof: As in the proof of theorem 1, A can simulate an election and SVCO exchange. In 
this case, however, A must also simulate the list of confirmation strings that were not 
available in the SVC scheme. For k h k 2 fixed, A can pick C %h e (g) at random, and for all 

fo#2, pick 9 k eZ q independently at random. A then sets \i K = X % . For tek h k 2 , A sets 
C lk = C^F 6 *" 6 * 1 . A sets m 2 = \x. k Z , and generates L additional random p l and 1-1 additional 
C a at random. Finally, A sets = C ik C n , and the last remaining C tl = C tki D n . As before, 
finding the right confirmation string is equivalent to deciding which of the values, C n , D n is 
the correct Diffie-Hellman solution. Averaging over all permutations with uniform 
probability gives the result. 
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[0058] Below is described one possible alternative to the secret vote confirmation scheme 

described above. The level of security between those two schemes is essentially equivalent. 

1 . In addition to the election public key, h, the vote collection publishes another 
public key of the form h=tf, where d<=Z q is a secret known only to the vote 
collection center. 

2. The client, M p submits a an encrypted ballot on behalf of v ; - as before, but 
redundantly encrypted with both h and h. We denote the second 
encryption by 

(X t ,Y,) = (g*,h*m) (26) 
^ Where a, is selected independently of a t . 

2 3. M- also constructs a simple proof of validity (essentially a single Chaum- 

'i I 'i ' 

¥> Pedersen proof) that the two are encryptions of the same value. 

ill 4. If the proof of validity does not pass at the vote collection center, corruption 

is detected as before. 

fU 5. The vote collection center selects random K { G(g); #eZ and computes 

5 ?;=I^=(^)*m* (27) 

f^=}f )V' (28) 
^ = tf,2^ = Kp {a - + ' a ' ] m {d+m (29) 

6. The vote collection center returns P' and P,- to M,-. 

7. Mj computes Sf=Kpn( d¥l W* by the equation 

S,=iQm(rf+l)P- S =3 (30) 
and displays this value (or, #(<%)) to the voter, Vj. 
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8. The voter requests a confirmation dictionary as before, and checks against 
the displayed value. 

[0059] In the case of detected corruption, corrective action is taken as before. 

[0060] The description of the facility above describes using a single d (and therefore a 

single h=h d ) for all voters and publishing this value in advance of the election. 
[0061] Alternatively, the vote collection center (or distributed set of "confirmation 

authorities") issues an independent, random d i (and therefore h^) for each voter, v,. The 
value d t is always kept secret, but the value is communicated to v 2 , 
[0062] In one embodiment, the facility communicates h t to v i as follows: 

A-l v i contacts the vote collection center and authenticates himself/herself 
A-2 Assuming authentication is successful, the vote collection center: 
H* 1. Generates d t randomly 

q 2. Computes hf4fii 



m 



3. Sends h { to v- 



A-3 The voter, v,. then proceeds as described above with h t in place of A 
[0063] In another embodiment, the facility communicates h t to v f as follows: 

B-l v i contacts vote collection center (and optionally authenticates 
himselfyherself) 

B-2 v- makes ballot choice m i7 and returns the encrypted ballot (gV* 0 ^,-) 
B-3 The vote collection center at this point . 

1 . Generates d i randomly 

2. Computes hf=^ 

3. Sends h f to v f 
B-4 Voter, then 

1 . Generates second encryption of m i as Qf L *,h i a >m l ) 

2. Generates same proof of validity showing that first and second 
encryptions are encryptions of the same ballot choice, m i 

3. Sends both the second encryption, and the proof of validity to the 
ballot collection agency 

B-5 The rest of the confirmation process proceeds as described above 
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[0064] Figures 1-3 illustrate certain aspects of the facility. Figure 1 is a high-level block 

diagram showing a typical environment in which the facility operates. The block diagram 
shows several voter computer systems 1 10, each of which may be used by a voter to submit 
a ballot and verify its uncorrupted receipt. Each of the voter computer systems are 
connected via the Internet 120 to a vote collection center computer system 150. Those 
skilled in the art will recognize that voter computer systems could be connected to the vote 
collection center computer system by networks other than the Internet, however. The 
facility transmits ballots from the voter computer systems to the vote collection center 
computer system, which returns an encrypted vote confirmation. In each voter computer 
system, the facility uses this encrypted vote confirmation to determine whether the 
submitted ballot has been corrupted. While preferred embodiments are described in terms in 
the environment described above, those skilled in the art will appreciate that the facility may 
be implemented in a variety of other environments including a single, monolithic computer 
system, as well as various other combinations of computer systems or similar devices 
connected in various ways. 

8R [0065] Figure 2 is a block diagram showing some of the components typically incorporated 

in at least some of the computer systems and other devices on which the facility executes, 
such as computer systems 110 and 130. These computer systems and devices 200 may 
include one or more central processing units ("CPUs 1 ') 201 for executing computer 
programs; a computer memory 202 for storing programs and data while they are being 
used; a persistent storage device 203, such as a hard drive for persistently storing programs 
and data; a computer-readable media drive 204, such as a CD-ROM drive, for reading 
programs and data stored on a computer-readable medium; and a network connection 205 
for connecting the computer system to other computer systems, such as via the Internet. 
While computer systems configured as described above are preferably used to support the 
operation of the facility, those skilled in the art will appreciate that the facility may be 
implemented using devices of various types and configurations, and having various 
components. 

[0066] Figure 3 is a flow diagram showing steps typically performed by the facility in order 

to detect a compromised ballot. Those skilled in the art will appreciate that the facility may 
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perform a set of steps that diverges from those shown, including proper supersets and 
subsets of these steps, reorderings of these steps, and steps of sets in which performance of 
certain steps by other computing devices. 
[0067] In step 301, on the voter computer system, the facility encodes a ballot choice 

selected by the voter in order to form a ballot. In step 302, the facility encrypts this ballot. 
In some embodiments, the encrypted ballot is an ElGamal pair, generated using an election 
public key and a secret maintained on the voter computer system. In step 303, the facility 
optionally signs the ballot with a private key belonging to the voter. In step 304, the facility 
constructs a validity proof that demonstrates that the encrypted ballot is the encryption of a 
ballot in which a valid ballot choice is selected. In step 305, the facility transmits the 
encrypted, signed ballot and the validity proof to a vote collection center computer system. 
[0068] In step 321, the facility receives this transmission in the vote collection center 

b computer system. In step 322, the facility verifies the received validity proof. In step 323, 

m if the validity proof is successfully verified, then the facility continues with 324, else the 

jj facility does not continue in step 324. In step 324, the facility generates an encrypted 

tH confirmation of the encrypted ballot. The facility does so without decrypting the ballot, 

J" which is typically not possible in the vote collection center computer system, where the 

t! secret used to encrypt the ballot is not available. In step 325, the facility transmits the 

W encrypted confirmation 33 1 to the voter computer system. 

[0069] In step 341, the facility receives the encrypted vote confirmation in the voter 

computer system. In step 342, the facility uses the secret maintained on the voter computer 
system to decrypt the encrypted vote confirmation. In step 343, the facility displays the 
decrypted vote confirmation for viewing by the user. In step 344, if the displayed vote 
confirmation is translated to the ballot choice selected by the voter by a confirmation 
dictionary in the voter's possession, then the facility continues in step 345, else the facility 
continues in step 346. In step 345, the facility determines that the voter's ballot is not 
corrupted, whereas, in step 346, the facility determines that the voter's ballot is corrupted. 
In this event, embodiments of the facility assist the user in revoking and resubmitting the 
voter's ballot. 
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[0070] It will be appreciated by those skilled in the art that the above-described facility may 

be straightforwardly adapted or extended in various ways. While the foregoing description 
makes reference to preferred embodiments, the scope of the invention is defined solely by 
the claims that follow and the elements recited therein. 



m 
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